Home / Vulnerability Intelligence / CVE-2026-26022

CVE-2026-26022 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 5, 2026

Gogs - Stored XSS

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

Gogs < 0.14.2 contains a stored XSS caused by allowing data: URI schemes in comment and issue description sanitizer, letting authenticated users execute arbitrary JavaScript, exploit requires user authentication.

Severity & Score

Severity: High

CVSS Score: 8.7

Impact

Authenticated users can execute arbitrary JavaScript, potentially leading to session hijacking or user impersonation.

Mitigation

Upgrade to version 0.14.2 or later.

References

https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j
https://github.com/gogs/gogs/commit/441c64d7bd8893b2f4e48660a8be3a7472e14291
https://github.com/gogs/gogs/pull/8174

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-26022
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: unconfirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N